auth servers breaking from emojis would be hilarious, pretty sure that's why older accounts only allow certain symbols in passwords
Comment on Security expert reveals surprising way to make your password stronger: use emojis
jordanlund@lemmy.world 10 months ago
Emojis are known to break systems in certain circumstances due to the way they’re interpreted in certain character sets.
I guarantee people doing this will not only lock out their own accounts, but may even freeze some authentication servers.
Arin@kbin.social 10 months ago
jordanlund@lemmy.world 10 months ago
“Your password ‘🤣umådbrø⁉️’ is breaking our server. Please change it.”
mindlight@lemm.ee 10 months ago
“Of course. What is the server’s root password?”
Kusimulkku@lemm.ee 10 months ago
If some auth server breaks because I put emojis in my password then that’s right and deserved
viking@infosec.pub 10 months ago
Sounds like a crappy implementation of the authentication server then, and the sysadmin deserves a paddlin’ for not stripping non-UTF characters (or making sure they work).
My problem with using emojis as part of the password would rather be that while I might be able to enter them on my personal Android phone using the exact keyboard app I have installed right now, I might find myself struggling on a desktop computer or any other phone that doesn’t have this exact keyboard installed. After all, the graphical representation of the same emoji might look different there, and there is a chance I couldn’t even recognize it.
So if anything, I’d say use a non-UTF keyboard like Thai or Chinese, but then a standard character in that specific type. Keyboards layout can be installed across devices and are fully standardized, even if the same character looks slightly different.
Username@feddit.de 10 months ago
Stripping characters from passwords, great idea! Right up there with truncating passwords that are too long.
viking@infosec.pub 10 months ago
[deleted]Username@feddit.de 10 months ago
That’s not how any of this works.
First of all, stripping passwords is never okay. You can reject the password and let the user choose a new one, but never just modify it on your own.
Then, if your system is at risk of code injection by certain characters in user input, please just shut it down and never turn it on again.
ricecake@sh.itjust.works 10 months ago
Doing that is actually a great way to tell attackers that you’re vulnerable to that type of attack.
Bypassing those front end restrictions is super easy, and the attackers don’t need an account or a password to attack you.
It’s like putting a sign that says “lock fragile; don’t tug” on the door to your business.
Honytawk@lemmy.zip 10 months ago
Learn how to sanitise your database inputs first, damnit!
kuneho@lemmy.world 10 months ago
also some OSKs put whitespaces after inserting an emoji, some doesn’t. there’s no unified emoji input method yet.
lolcatnip@reddthat.com 10 months ago
There’s no such thing as a non-UTF8 character. You mean non-UTF8 bytes? If a system sees those, it should reject the entire input, not try to patch it up.
50gp@kbin.social 10 months ago
and there are many trash implementations that dont recognise something like :emoticon: and turn it into emoji, no no you have to use emoji keyboard to type them
lolcatnip@reddthat.com 10 months ago
OTOH, there is only one character set that matters, and any system using a different one is, by that fact alone, broken.
jordanlund@lemmy.world 10 months ago
lolcatnip@reddthat.com 10 months ago
I said only one that matters. So I already did pick one. It’s called Unicode.
jordanlund@lemmy.world 10 months ago
UTF-8 and UTF-16 pretty much do everything, but if you have a UTF-16 emoji in a UTF-8 system, you’ll have a bad day. :(
Salamendacious@lemmy.world 10 months ago
That only applies to iphones that came out 2016 or earlier and we’re never updated right?
Funwayguy@lemmy.world 10 months ago
Hahaha, I wish.
You would be amazed at how ancient and poorly maintained many web servers are on the modern internet. SQL injection still consistently make the top 3 web app vulnerabilities as of 2021. If that isn’t being sanitized properly I don’t expect emojis would be handled much better.
Salamendacious@lemmy.world 10 months ago
Thanks I wasn’t aware of that
jordanlund@lemmy.world 10 months ago
For that particular bug, yes, but there have been many other variations on that theme and not limited to Apple tech. I’ve seen it nuke an email send fir example because the SMTP server choked on emojis placed in a subject, to, or from line.
Salamendacious@lemmy.world 10 months ago
Thanks I appreciate the clarification
abhibeckert@lemmy.world 10 months ago
The website should feeding your password into bcrypt or similar. The output will be a fixed length binary value or hex string.
NightAuthor@lemmy.world 10 months ago
Can you still log in to wellsfargo accounts using the T9 translation of your password?
lemmyvore@feddit.nl 10 months ago
It’s not the processing on the server that’s the problem. To reach the server the password needs to go through several layers of character encoding, if any of them fails the server will receive something different from what you meant. And when you try to login from another device and the layers will be different you’ll effectively be sending a different password.
ricecake@sh.itjust.works 10 months ago
The same character encoding that would break emoji would break a significant portion of the words names, so if your system can’t handle it, then you deserve all the trouble that you run into.
Unicode isn’t that hard.
Dark_Arc@social.packetloss.gg 10 months ago
You’re not wrong, but some systems, especially smaller ones are intended for English-only situations (or originally were) so non-English language situations might not be as well tested and/or may cause things to break.
Remember there are some sites that still refuse service if you put a
"in your password. I’m not saying it’s right, but it’s a definite possibility.lolcatnip@reddthat.com 10 months ago
It’s not the 90s anymore.
Dark_Arc@social.packetloss.gg 10 months ago
That is very much not a 90s problem. Especially if the company has a website and an app or is a small company not thinking about these things.
In theory this shouldn’t be an issue but it definitely could be an issue on certain services.
Vilian@lemmy.ca 10 months ago
make one account with emoji password to test their system, if it break, good, go create hour account somewhere else